Skip to content
Threat Feed
high advisory

CVE-2026-10192 - Tenda W12 Stack-Based Buffer Overflow in set_local_time_0

A stack-based buffer overflow vulnerability exists in Tenda W12 version 3.0.0.7(4763) in the `set_local_time_0` function, which allows a remote attacker to execute arbitrary code by manipulating the Time argument.

A stack-based buffer overflow vulnerability, CVE-2026-10192, has been identified in Tenda W12 router version 3.0.0.7(4763). The vulnerability resides in the set_local_time_0 function within the /bin/httpd binary, responsible for handling time synchronization. A remote attacker can exploit this flaw by crafting a malicious Time argument in a request to this function, leading to arbitrary code execution due to the buffer overflow. This exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation allows an attacker to gain complete control of the device, potentially leading to data theft, device hijacking, or integration into a botnet.

Attack Chain

  1. The attacker identifies a Tenda W12 router running firmware version 3.0.0.7(4763) accessible over the network.
  2. The attacker sends a crafted HTTP request targeting the /bin/httpd service.
  3. The HTTP request is designed to call the set_local_time_0 function.
  4. The request includes a malicious Time argument that exceeds the buffer size allocated for it.
  5. The set_local_time_0 function attempts to copy the overly long Time argument into the buffer, triggering a stack-based buffer overflow.
  6. The overflow overwrites adjacent memory on the stack, potentially including the return address.
  7. The attacker manipulates the return address to point to malicious code injected into the device’s memory.
  8. Upon function return, control is transferred to the attacker’s injected code, allowing arbitrary command execution.

Impact

Successful exploitation of CVE-2026-10192 can grant a remote attacker complete control over the Tenda W12 router. This could lead to unauthorized access to sensitive information, modification of router settings, or the use of the router as a node in a botnet for distributed denial-of-service (DDoS) attacks or other malicious activities. Given the availability of a public exploit, the risk of widespread exploitation is significant, potentially affecting a large number of home and small business networks.

Recommendation

  • Apply available patches or firmware updates from Tenda to address CVE-2026-10192.
  • Monitor network traffic for suspicious HTTP requests targeting the /bin/httpd service with unusually long Time arguments, using the provided Sigma rule.
  • Implement network segmentation to limit the impact of a successful exploit on other devices on the network.
  • Consider deploying a web application firewall (WAF) to filter malicious requests targeting the set_local_time_0 function.
  • Disable remote management access to the router if not required.

Detection coverage 2

Detects CVE-2026-10192 Attempt — Suspiciously Long Time Parameter in HTTP Request

high

Detects CVE-2026-10192 exploitation attempt — Monitors web server logs for HTTP requests with an abnormally long Time parameter, indicative of a potential buffer overflow attack against the Tenda W12 router.

sigma tactics: initial_access techniques: T1068, T1190 sources: webserver

Detects CVE-2026-10192 — HTTP Request to /bin/httpd with 'set_local_time_0'

medium

Detects CVE-2026-10192 exploitation attempt — Monitors web server logs for HTTP requests targeting /bin/httpd and containing 'set_local_time_0' in the query.

sigma tactics: initial_access techniques: T1068, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →